COLUMN

Inside MSRC: Visual Studio update affects multiple systems

By Christopher Budd 11 Sep 2007 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

For September 2007 we are releasing four new security bulletins. One of the bulletins, for Windows 2000 only, is rated as Critical. The remaining three are rated "important."

To help with your planning and risk assessment, in this months' column, I'll cover information to help you understand what systems are affected by MS07-052, the Crystal Reports bulletin, and MS07-053, the Services for UNIX bulletin.

First, though, I'll briefly recap some information that is important, and useful for your deployment infrastructure planning.

Expiration of support for MBSA 1.2.1
With the September release, we are one month away from the expiration of support for Microsoft Baseline Security Analyzer (MBSA) 1.2.1. We will provide support for MBSA 1.2.1 for the October 2007 release, until Oct. 9, 2007. After that date, we will no longer provide support for MBSA 1.2.1 for new security updates. If you've not done so already, we strongly encourage you to begin upgrading to the latest version, MBSA 2.0.1. You can get more information about MBSA 2.0.1 here.

About Inside MSRC: As part of a special partnership with SearchSecurity.com, Christopher Budd, security program manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates. Also see: Inside MSRC: Microsoft releases searchable update database Inside MSRC: Microsoft Server flaw should be given high priority Inside MSRC: Microsoft offers details on MOICE advisory, Outlook flaws

Microsoft Update Catalog
I discussed this in last month's Inside MSRC column, but because it can be such a valuable resource, I'll mention once again that we have another tool to help you deploy updates, including security updates: the Microsoft Update Catalog. This is a searchable catalog of all security updates, drivers and service packs that are available through Windows Update (WU) and Microsoft Update (MU). You can use the Microsoft Update Catalog to distribute these updates through a corporate network, using tools such as WSUS 3.0, System Center Essentials (SCE) or System Center Configuration Manager (SCCM).

You can get more information on the Microsoft Update Catalog. Also, the Microsoft Update team has information on this, as well as other things, on their Technet blog.

MS07-052 and MS07-053
The MS07-052, the Crystal Reports for Visual Studio bulletin, and MS07-053, the Services for UNIX bulletin have slightly more complex scenarios in terms of the possible affected systems.

MS07-052 addresses a code execution vulnerability that can be exploited when opening a malformed Crystal Reports .RPT file. Crystal Reports is installed with some versions of Visual Studio. MS07-052 goes into more detail about what versions of Visual Studio include Crystal Reports for Visual Studio.

MS07-053 addresses an elevation of privilege vulnerability in Windows Services for UNIX 3.0, Windows Services for UNIX 3.5, and Subsystem for UNIX-based Applications within Windows.

Windows Services for UNIX 3.0 and 3.5 are available as separate downloads and have to be downloaded and installed. They are not part of any version of Windows by default. The Subsystem for UNIX-based Applications is a component of both Windows Server 2003 and Windows Vista but is not installed by default.

This means that, by default, no version of Windows is vulnerable to these issues. However, if you have enabled the Subsystem for UNIX-based Applications or downloaded and installed either Windows Services for UNIX 3.0 or 3.5, you should apply the security updates. You can get more information about the systems affected in MS07-053.

For both MS07-052 and MS07-053 you can use MBSA 2.0.1, this month's edition of the Enterprise Scan Tool (EST), WSUS and Systems Management Server (SMS) to identify systems that the security updates apply to. You can also use WSUS and SMS to deploy these updates.

Conclusion
On Wednesday, Sep. 12, at 11 a. m. Pacific Time, we'll be holding our monthly security bulletin webcast. Mike Reavey, and I, will be reviewing this month's bulletins and taking your questions and giving you answers prepared by our subject matter experts. If you can't join us for the live broadcast, you can also listen to the webcast later, on-demand.

As I noted earlier, the October 2007 bulletin release will be on Tuesday, Oct. 9; so be sure to mark your calendars for that and check back then for the next edition of this column with information to help you plan and deploy the release for your environment.

Tags: Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary